Another major WordPress plugin vulnerability puts thousands of sites at risk

Bug existed in an extension of a popular WordPress plugin

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have helped patch a security flaw in a popularWordPress plugin, which could be exploited by attackers to take over a website.

Discovered byWordpress securityexpertsWordfence, the vulnerability exists in the “Preview E-mails for WooCommerce” plugin, which as its name suggests is an extension for the popularWooCommerce plugin, which is popularly used for quickly and easily rolling out anonline storewithin an existingWordpress website.

The “Preview E-mails for WooCommerce” plugin gives site owners the ability to preview emails before they are sent to customers via WooCommerce, and boasts of an installation base of over 20,000 websites.

Unchecked input

According to Wordfence’s threat analyst Chloe Chamberland, attackers could exploit the flaw to inject maliciousJavaScriptinto a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

Explaining the working of the vulnerability, tracked as CVE-2021-42363, she says that it existed because a key component of the affected plugin didn’t sanitize the input, giving attackers the opportunity to inject malicious code.

“This meant that if an attacker could successfully convince a site administrator to click on a link, they could get malicious JavaScript to execute in that administrator’s browser. This script could be crafted to inject a new administrative user or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over the site,”explainsChamberland.

Technically known as a reflected cross-site scripting (XSS) vulnerability, Wordfence brought it to the attention of the plugin’s developer who released a patch to address it in just over a week.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Easily build a website with thesebest Wordpress website builders, and use one of thebest Wordpress ecommerce pluginsto construct an online store without much effort

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well